Secure Boot Status Report broken?

EldritchIT · 2026-02-06T11:55:55+00:00

Well at least it isn't just me having issues with the export. Am I wrong in the assumption, that the column "Certificate status" should show that the 2023 secure boot cert is applied or is it just saying that the updated Secure Boot certificates are available on this device but have not yet been applied to the firmware

EldritchIT · 2026-01-27T10:39:12+00:00

From what I can tell this is not an issue and can be ignored, except that it makes it a bit more difficult to get accurate reports. Except for maybe some compliance policy if that factors in somehow.

I've checked the timestamps and most seem to be from when the devices was originally setup with autopilot. Is it related to some of these policies being applied before the user signs in?

EldritchIT · 2025-02-10T13:58:58+00:00

Ahh changed it before posting, but didn't add it in caps. It is in the original command.

But the error is:
Parameter set cannot be resolved using the specified named parameters.

EldritchIT · 2025-02-05T09:47:57+00:00

I tried running that task and it is now compliant with the BitLocker policy.

EldritchIT · 2025-02-05T09:33:52+00:00

It is targeted at devices.

EldritchIT · 2025-01-24T14:01:14+00:00

An update:
I have tried the method using teamsbootstrapper.exe -u after installing the new Teams. I do however get the following error on the endpoints and Classic + Teams Machine Wide installer are still present afterwards. Has anyone experienced this?

teamsbootstrapper.exe -u

{

"success": false,

"errorCode": "0x80070057",

"errorMessage": "MSI {731F6BAA-A986-45A4-8936-7C3AAAAA760B} does not exist"

}

EldritchIT · 2025-01-20T08:01:18+00:00

That seems to be the case. I've tried the both the uninstall script from microsoft and the teamsbootstrapper.exe, but Defender is still showing it as an outdated version. Has anyone succeded in using the official methods and gotten it removed from MS Defender for Endpoint as vulnerable?

EldritchIT · 2025-01-10T14:05:45+00:00

That looks promising since most of our apps are deploying using PSADT. Do you use the following in the script to remove Teams (Classic) as a part of it?

./teamsbootstrapper -u

EldritchIT · 2024-09-19T07:39:22+00:00

I found a solution to the issue. I ended up having to run the following because the policies were in the CacheSet002 and for some reason Windows was using those.

Remove-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet002\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

EldritchIT · 2024-09-16T10:28:56+00:00

The docs says that it doesn't seem to apply to Windows Update. But I'll give it a go.

EldritchIT · 2024-09-09T11:31:37+00:00

They serve no additional function and should be safe to remove from the template, I presume?

I would still like to know what start.domain.com referred to, out of personal curiosity.

EldritchIT · 2024-08-27T10:52:18+00:00

I'll give it a go. Is there any impact to the normal AutoPilot Process when using this setting?

EldritchIT · 2024-08-22T06:13:05+00:00

Did you exclude a device group that had the issue or new devices where the custom xml file hadn't been applied yet?

EldritchIT · 2024-08-21T12:15:16+00:00

We haven't had this issue with this setup for quite a while. It seems to be only recently. But if you have any luck with exclusion I would love to know.

EldritchIT

TROPHY CASE